MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
SHA3-384 hash: a0c18da3cd8b0f7e9f6f2117c0d89e77305a1f99595f449649357f2d024ea271d3820067df089138888b9af2f27505f9
SHA1 hash: 2ec3961bd341f8f4ac000eba2fc0f3dc48889030
MD5 hash: aca25d6b9b908d7745917f609dee36dc
humanhash: queen-jupiter-pizza-sixteen
File name:aca25d6b9b908d7745917f609dee36dc.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:868'864 bytes
First seen:2020-08-03 13:01:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:0AHnh+eWsN3skA4RV1Hom2KXMmHa0vt5:Dh+ZkldoPK8Ya0v
Threatray 168 similar samples on MalwareBazaar
TLSH DE058B0273D1C036FFABA2739B6AF60556BC79254133852F13981DB9BD701B2263E663
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader


Avatar
abuse_ch
http://cmcare.ca/1/

Intelligence

File Origin
# of uploads :
1
# of downloads :
740
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37833/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Setting browser functions hooks
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/407932
Signature
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256200 Sample: o3lnC0ZwUc.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 52 28 Binary is likely a compiled AutoIt script file 2->28 30 Connects to a pastebin service (likely for C&C) 2->30 32 Bypasses PowerShell execution policy 2->32 8 o3lnC0ZwUc.exe 2->8         started        process3 signatures4 34 Binary is likely a compiled AutoIt script file 8->34 11 powershell.exe 9 8->11         started        process5 process6 13 powershell.exe 15 17 11->13         started        16 conhost.exe 11->16         started        dnsIp7 26 paste.ee 104.18.49.20, 443, 49738 CLOUDFLARENETUS United States 13->26 18 MSBuild.exe 13->18         started        20 MSBuild.exe 13->20         started        22 MSBuild.exe 13->22         started        24 9 other processes 13->24 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35/
Threat name:
Win32.Trojan.Povertel
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 05:10:20 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjknp6vgao2gytdd63i7rdlfoz73qbryuaajm77fe64vok4vny2q._file
Verdict:
malicious
Similar samples:
0c3ffcd5a7623471ea4ebd0df78300568f641bba314b956f5837c2b829c87334
Smoke Loader
3afe4dd1466eb99bc7ab905a2363173dc043f9060982c49b6f5da73293f7d6ed
Smoke Loader
50871371de6754f17507213f50bd7748814f8a99899599f835701c5a772c89c7
Smoke Loader
65c86813da2eb5bfc495e538fa4e77f8c3a3c03418e655ac8262bc0aa42281ba
Smoke Loader
693626ad4ce750ecb027980dfb505ca69872923702dfe564e0adcb651e8c60d9
Smoke Loader
70d7fcf7b575d4dd4dbc398ac7f02d9acd46015541211e32a11fc7534662db74
Smoke Loader
849af25a67d831b8e5d90cc6e4b51014a3a4d9f474f7363865cbd98c4dc0ea5a
Smoke Loader
cb663a4fa79cb0fcb52c3049b65b1a012c45e72badc13c931fc2c72a8a94dcca
Smoke Loader
d7a340421f260de130a285233b110130fbccd2f26f1f70fc1600bf2855073017
Smoke Loader
e7c777cc2838334214d3349178f52cd2fdce9138cbd51de1c62bcc73a3478a4f
Smoke Loader
+ 158 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:smokeloader
Link:
https://tria.ge/reports/200803-8ncqvyvrsj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in System32 directory
Maps connected drives based on registry
Blacklisted process makes network request
SmokeLoader
Malware Config
C2 Extraction:
http://185.35.137.147/mlp/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GameHack
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/37833/
  
URLhaus
https://urlhaus.abuse.ch/url/423763/
  
Delivery method
Distributed via web download

Comments